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Mobile DNI 



Mobile DNI can be described 




using their Cell Phone or cellular 
technology to access the Internet and 



E-mail 




There are essentially two “types” of 
collection: 



Collection within the GPRS/3G network (i.e Abis 
link) 

Collection within the public Internet 
(FORNSAT /F6/SSO/FISA/etc) 
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Mobile DNI Collect comes in two main types: 



Convergence of DNR & DNI selectors! 
Mostly from ffi collection 



Most cases, needs to be “near” the infra structure 



Gateway 





Looks like regular DNI but with “hints' that the 
source is a cell phone 

Collection could be F6, FORNSAT, SSO, FISA 
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HTTP activity comes in two types: 



cnn.com Server 
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Mobile DNI: Converged collection 



Examples of “converged” collection: 

GPRS by F6 JUGGERNAUTS 
WLL/CDMA by SCREAMIN (OTRS) 




All “converged” collection is put into the 
“Cellular DNI” plug-in of XKS which gives 
you the ability to query for DNI traffic based 
on DNR selectors (IMSI, IMEI, MSISDN, 
etc) where applicable 
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no 01 [01 WW 
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Mobile DNI: Converged collection 

f liHHIBSsss * * .j'-'iiflHflHiHiiHiHHi 



DNR & DNI meta-data will be together 




USER A ACTIVITY USER Fl COOKIE ACTIVE TISFTt ACTIVE USER TP ACTFVi 





server to client 




clfc09e4e<CLU> 




c yahoo> 




XX 




<jrahoo> logged in (snail) 










XX 



a c 1 b 0 9 e 4 e^TLLI> 
a 4 iaa 56 L 0 l 353 O 54 <IMSI> 



s een wMi rm aching T.' E Sh o w (P) V all ics r: 1b 0 f=4 e <T ,T.T ? 

=yafaoo> seen with machine ED E Show (2$ Values □ 2 possible 
H previous It' c 1 b 0 9 e4 b ■•■TLLI- j 






xx 






XX 

XX 
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Mobile DNI: Converged collection 



X-KEYSCORE’s Cellular DNI plug-in allows 
you to query on the DNR selectors for 
Persona Analysis 



3 j ilbaaiL A-M 

HASP and IMIV k-etcdda 

! ! (gAlcit 

gjBlackBeriy' 



Lags 
i^jCalegtry 
^Chi jIu rr=J| 

i-Cl Ciauu Puyy\ iL ur Li a 
^Docymsrt MetadHta 
^Documerr Tagging 
i£] Eit ail Adc nesses 
■^Extracted Files 
igFu ’ Leg CNI 
j§r| HTTP Act vity 
^IRC Cefei ’Srh nratim 
ElLaijna arrt Pasawcrda 
2 Mior op ucp'i H stci Jd a 



q Lierv Name dlstua£_3 



Justification 



Add tio nal J ustif i cation 



Miranda Number : 



interface ; 
Hit Status: 
iMST: 
kT: 
TMSI: 
JMET: 
MCC: 



DatfiTimp; 1 Week v Start: SOLt-UbUb f5 1 00:00 |^| Stop; 200D-Q5-L3 □ 23:59 
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Mobile DNI: Converged collection 




By taking the IMSI we found in MARINA we can identify all 
of the DNI traffic (webmail, web-surfing etc.) that originated 
from that same mobile subscriber 



IMSI 

418(15 

41805 
41 BOS 




Application Irrlo Appifcstion AppID [+Fi(igerptiTts:J 

l,i >—-i uu iU , ^ u'.-i. ^ lnt|).i^a|)«nac;vn<I.M http rc^iwr sc cc I Ipl 

* «j» * * imivroopor^'-.TiTivii ftttp. 4 *sf>oiii* ptt_w 

li*t|>.Tes|>i«isfi | lTtni i irttp.res|>on so |>tt, w 



Yah on! Front Paner 
YAHOO! n ttlTt pjyt 
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Y 

Y 

Y 
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Mil 1 1 
Mail 
Mai I 
Mill I 
Mail 
Mali 
Mill I 
Mail 
Mail 
Mill I 
Mail 
Mai I 
Mill I 
Mill I 
Mail 
Mall 
Mail 



m ail 'uv^hmaiLyaiiort mil iliWh mail.yjih oo 
in all .wthmaiiy alio* m.i luweu maii.yaii oo 
mail welMiiAmyanoo mailtarebnuilyahoo 
i vi ail "w chrnail yalioa niii i liweh niailyiili no 
m ail Xt-I lliiAiLy Alloo mi ll.'Wtb i n lil.y-ih jo 
m ail iwrl>rii.nl yjhw nva i l.'Wet nuily-ili no 
m ail 'M’^limail yalion mil ibWeh mailyalino 
m ail fiarchmAiLyaiioo nia iijwtt] i mil.y-ih oo 
mail w^lHiiail.yal'iOrt ni-iil WeLiiiJily.ilino 
m ail LVfihmail yahoo mil il'Wob mail, yahoo 
IVi ail .kVcbmaiLyialloa Ilia lUWtb m lil.yah no 
m an: wiiuiiaiF.y alio* mu I i. wob i n aiiy-iii no 
mail yahoo mn i I Wob maii.yaii oo 

in ail 'wchmaiLyalioa nn i I Web in jil. val i no 
m ,’iti ivtiiiiiaiiLyahoo mn ii'Weti m myall oo 
mail welJimiil yahoo mai!. ! Webmail.yihoo 
in ail 'uvchEnaiLyahoo mil i l.'Web m ail.ynh no 

m all .'bVtmii'iiLy ai 100 ma M.'Wob i n jny.ni oo 
mail weDru-iil yaftoo mail.'Webmail.yihoo 
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Mobile DNI: Traditional Collection 





After the DNI traffic exits the 



GPRS/WLL/CDMA Gateway, it will travel 
over the public Internet and can be 
collected through “traditional” DNI accesses 
like FORNSAT, F6, SSO, FISA etc. 
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Mobile DNI: Traditional Collection 




Sometimes its difficult to tell if your target is using 
a cell phone to access his E-mail 

MARINA currently provides little or no “hints” 



TS A 

20®0505 1 92943Z 
2 0 0 9 0 f 0 5 192943Z 
20090505 194642Z 
20U905U6 19QU06Z 
20090506 190622Z 
20090506 190622Z 



TT^FRTT) FRONT TrSP"R A 




AC TTVTTY 
client to server 
logged ir. (emaL) 
logged ir. (emaL) 
logged ir. (emaL) 
logged ir. (emaL) 
cLcntto server 



RAFF Tt 



CGOTvTR 




ACTTVEJTSTCR ACTTVE TrSER TP ACTTVT 

: :yatioo> AJ 

-■ AP 

-yahoo> AP' 

A _ ahoo> AP 




yal’ioo- 



AP 



:0090506 192654Z 



seen with machine ED 9ryueuh4 slr97 <yaho oE c o okie > 9rvueuh4 sir 9"? <y ahc oBc o okie> 



yahoo > 



AP 



20090506 

20090506 

20090506 

20090506 

20090506 

20090*06 

20090506 

20090506 



192654Z 

192654Z 

192654Z 

192654Z 

192805Z 

1928057, 

192805Z 

192805Z 




'yahoo- seen with machine ED 9rn.ie.uh4 d-97 yal'io"oE c o okie - 
| previous IP 
HI dent to server 
^ydio o > logged ii _ _ (emaL) 

seen with machine ED 9rvueuh4 slr97 < vaho oE c o okie > 
dent to server 
H previous EP 
^yahoo> logged ir. (emaL) 




9rvueuh4 slr97 -yanc oEc o okie> 
9 ruueuhd sir 9' f <y ahc oBc o okie> 
9rvueuh4 slr'9'7 <yahc oBc o 6kie> 
9rvueuh4 sir 97 <y alio oBc o okie> 
9rvueiJi4 sir 97 <yahc oBc o okie> 
9™ lei ih4 sir 97 <y ah o oB.n o old e> 
9rvueuh4 sir 97 <y ahc oBc o okie> 
9rvueuh4 sir 97 <y ahc oBc o okie> 




Ad 

AP' 

AF 

AP 

AJ 

AP 

AJ 

AJ 
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Mobile DNI: Traditional Collection 




X-KEYSCORE “User Activity” provides 
some hints 

Note the fingerprint of 
browser/cellphone/nokia 



Search For 
username 

username 

username 

username 

username 

Username 

username 

username 

username 

username 

username 



Search Valus 




Application 



AppID (+Fingerprints) 



a^yalioo 

>0 Til too 




mail. Welmn aj lyal 

mmlweliiiiailynlitt 
mall'Welmnil Ly al kw 
mail Wcbivi all yahoo 
mail wclmn ai Lyal lw 
mail ■ wehm ai ly al na 
m ail we Iran ai Ly al k» 
mail ■ w ehm ai Ly al r-» 
mailwebm ai Ly al i-» 
mail 'Wehm ai I y al ioo 
mail ■ webi vi ai Ly al 100 






m ■! il.toebmail.Vnl 100 It r v nvser ,'cel lphone.iiokia oellphon e <toap H 1 1 g er |i rind phoneiioki ay eneri c nielli 



mmtmmm mmm whi 

m flihWtlimflllfrfllioa browsers llf:4 wMt.hok la 
m ni I webmnil.fyahoo brow a t ll| -honenoh ia 
m ail webmail, yahoo brew a c rc c H -limcii'l ia 
m ail ' wehmail.yahoo brew s e r-c e IE] >J lone . nol ; ia 
ni ail wehmail.yalioo brew ser-:e l^lioiie.noh ia 
m ail 1 webmail.yahoo brew s e r -i e ll| >1 lone.'nol ; ia 
m ail ?'w ebinailyahoo brew ser-:e II] :■] loneiiol; ia 
m ai I ■ webmail.y ahoo brew s * i c # It] >1 lone. nok ia 



WIPAIWW ,11', TIH.JM |.| IM N l .A| l .^| l ,A|T.,^l l .!f|.L IV.J.MM 

cellphone, to ni:> toiogci pi im plionenok ta/yener k hi ■> !■ ile 
cellphone, to ip fi u g e r |i r irri ‘phone.'nok ia.'y enetk on e h it-: 
cellphone ,»to it|> fi n g c r |i r int/phonc/iiokia.'y cue rk m n> b ik 
cellphone/ w ip fi n g e r |i r intphoiie/iiokia/y eneric mobik 
cellphone -to ip H n g e r p r ini phone . not ; ia -y ene rie mobile 
cellphone- w ip ti 1 1 g e 1 1> i ini /phone/nokia/y eneTic ni «> b ik 
cellphone.' to ip fi 1 1 g e i p i int/phone/nokia/y eneric o n a b ik 
cellphone/ w i|> fi n g e r |i r ini phoi ie. iiok ia.y eoie he ni e b ik 



) 
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Mobile DNI: Traditional Collection 





X-KEYSCORE “HTTP Activity” also provides some hints! 



Note the hostname of intl.rn.yahoo.com and user agent of: 

NokiaN72/5. 0706.4.0.1 Series60/2.8 Profile/MIDP-2.0 
Configuration/CLDC-1 .1 



HTTP Type 


Ho si *. 


URL Patti 


URL Args 


qet 


inti jti. yatiLHj.com 


pp/mes sencjsr 


c^JaSn vY z HyTU Ssar c=ya hoo&r =2 B444C433 



Cookie 


Brows ef 


SP*v=' Sa=1 ; Y=v=i^n=;tSk?ai,i1 l3SaBah7Dc_gk4tielbtoap"m2Owph01300a0DQSi=ir 


Nokia N72fi. 07 06.40.1 Ser -S60L2.3 Pralite/lvl DP-2.0 Conf^iration/aDC-l .1 
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Mobile DNI: Traditional Collection 



? ; 

The content also provides some “hints” 



ID: 3ess_orig_proc 







Type H TP GET 


i Prime- F-icne v Version 


m Display 


Raw Dal a CM| Format 






Services 


■SfF 







■jET /pi'iiiii s c : jgreTgpI'F a2 tif Y iHyTU ■j£Ts:t=I".c i ourct-Sc r r ltt?^jr.c=/ _ ab-j Od 3? HTITA . 1 

Hcrt. Lnilm^aihoCi. Com 

Accept textfjavascript*. text'eanascripl. applicalhonfo-javascript, texufotinl, apple ati.on/'wid. wap.sditml & 

E'lji.^iptA-AiLSed, tEKt/vttd. WBp. app liC all d nArjid Wap Wltllc, appLcatjOoAHld'A'arp VV]"Ji Cfipti 

appHcsation/java, apptc ati ord's- j av a. - archive, Eextfuni, san.j 2me. app - des criptcr, applic aacrAnd 
appHcaticii/vtid omadrffl. ccciie:.:.. appHcatidiifarLd.w^.rams-raessagA appHcatioft/'ytidtvap.ac 
jp ]>1 1 f: St. Of uVr'i oma dd KTrlP -EWtlja’jaE cript. 

Accept- Chare et: Lso-SS 5 1 . utf- B, :s o - 1 -mcs- 2\ :p 0 6 

Acccpt-Enc oding: , deflate .identity, q= 0 . !=■' 

Accept-I^argpE^gc era 
’cokra: 1J= -j 

a=J 



SP 



v—1 

;i=43L-:s£j If3£g6 

=70t_gk4hcb/o ( Y all oh Id mi id:] 
pTinSOwpliO 12000000 { Gender: mile, Birth year- Id 64, Festal co(V:| 
b=17Q0 
;=i4 

4™:n-US (Lanjpi^sfl-rimteuG Fn^linli } 
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HTTP Activity Examples 



r “ ~ ~~ 

The content also provides some “hints” 




Hi* St 


inti, rn.yahoo.com 


Accept: 


text/j ava 3 c r.pt, text/e etnas cnpt, appHcati on/x-j ava s c r.pt, tent/html, appli c ation/vnc, w ap . xhtml h 
multip art/rrik e d, te xt/vn :1 . wap . wml ? ap pHc id on/vn d. wap . wmlc , appli c atiorJvii d. w ap . wmls cript ( 
appli c atio, n/j av a, ap plic ati -A m J ::-j ava- ar ; hiv ; F textAmd. sun. j 2me . app - dc s ciiptor, ap plic atj on/vn d 
appli c atio n/vn d. oma. dm:. ■: ontent, app he- ation/vnd, wap . mm s -me s s age . app lie atio iVvn d. wap .sic, 
appli c atio n/vnd. oma.dd xrol 3 text/javas cript, */* 



User- Agent: 


NokiaN72/5. 0706.4.0.1 Series 6 0/2. 8 PrcfileMIDP-2.0 Configuratio^CLDC-1.1 


3 : wap profile: 


"http://nds 1 .nds.nolda.com/uaprofl]TTT72rt OO.sml" 
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Mobile DNI: Traditional Collection 




Sometimes there are even more “hints” 







.. -.-i- -- -■ ■■ 

2lfl3Sh5CtnjL 


Yahoo B Cookie 


B 


chzguVlq9 rj YFZ-D dhE.i.rnS Y 4 DO ga 9 N C» - 
s=71 




ip- address 






X-MSP-APN 


wap 


MSISDN ► 


X-MSP-MSIgDN 


93707&S2562 


X-MSP-MSISDN-HEX 


353 33730 373&3S3 23 53632 



TJser-Aflent 


Mc.zjJLdj'S 0 (SjpnLianOSrP 2' U, Senes£0/3 1 NoldaE^S-l/l 00 21 1 1 0' Proffle/MTDP-2 D C*nf|piirah 
liter Gecko) Safari# 13 


st-wap -proSle: 


"http-V/ndM nds nokja coWLiapraliHE63 - Irl GO.xrttl" 


X-llotaa-MusscShop-VcrsLon: 1 0.0 


X-K *1ti£.-Ib,Cusic 3b ip-Bearer 


GPRS/3G 


ReFerer 


hEp/fojew.m yahoo.comftsrfbp messen@eiYmesset^£r^c; T K)w*lTpDXl4NR J &r=l 27322 ?51 3& tsrc =Jtpr 


X-MSP -AG: 


DEFAULT AG 


X MSP APN 


wap 


X-MSP- CALTJHG-IP; 




X MSP MSISDH: 


937D79E2562 


X-MSP MSISDN HEX' 


393337303739383 2353632 


X MSP NODE-NAME 


TJtSpSf '.’-IJ.tfJJlilJ.- 


X-MSP- SESSION-ID: 


JO. ICO 1 68_2320 


X-MSP U'j. 


DE3AULTJJCH 


X-MSP- WAP-CUENT-ED: 


■493707532562 


Via. 


Siecnsns 
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IPhone Users! 



Host 

a puli > pic, in ci il .go .yal 10 oxc i i i 



Browser 

iPhone Mail (5H11) 




Cookie: 


Y 


17=1 

fl=57«ccjd2aqi3h 

l=lkL78_10i7Sli3qrql f o ( Yahoo In sjn ill: ) 

p=tCd lkqgO i 3 JUOUUU ( Gender: female, Birth year: 1977. Postal code; 
jb=34|32|9 (Industry; TeUconuniuu cations, Job: Network AdiiiiiListvator, Spe 
r=S a 

lg=er_ US { language/ content: English) 
mtHas ( Country: United States ) 

tip= 1 


ptlll 


/ 

i 




domain 


yjhoo,;om 


T 


jfCSECKBC YdCKBltdVgYO YjiSSMjJPBj YyMD czTzQ2TzA- 
a=QXE. 

sk=PAACYWI34ttS44j7 

ks=EAApZl _5Ttsff£>Cu3rWedAT£nIg- — C 

d=c ^ETTRYtTEIURTFO. ekEwTDKbTeE9E YyOB YQFBQUTJBZwF UTEZV 1 QITTV 
F 6egf DU01D S 0Ji2V0E£dGhfi7ATBk.VXVT Q w- - 


p£th 


/ 


domain 


ydhco. com 


User-Agent: 


iPhone Mail (5H1 1 j 
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